Sec. 301. Continuous independent FISMA evaluation pilot
808 words·~4 min read·
/bill/117/s/2902/is/section-301·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 2 years after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall establish a pilot program to perform continual agency auditing of the standards promulgated under section 11331 of title 40, United States Code. The purpose of the pilot program established under subsection
(a)shall be to develop the capability to continuously audit agency cybersecurity postures, rather than performing an annual audit. It is the sense of Congress that information relating to agency cybersecurity postures should be used, on an ongoing basis, to increase agency understanding of cybersecurity risk and improve agency cybersecurity. The Director, in coordination with the Council of the Inspectors General on Integrity and Efficiency and in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall identify not less than 1 agency and the Inspector General of each identified agency to participate in the pilot program established under subsection (a). An agency selected under paragraph
(1)shall have advanced cybersecurity capabilities, including the capability to implement verification specifications and other automated and machine-readable means of sharing information. The Inspector General of an agency selected under paragraph
(1)shall have advanced cybersecurity capabilities, including the ability— to perform real-time or almost real-time and continuous analysis of the use of verification specifications by the agency to assess compliance with standards promulgated under section 11331 of title 40, United States Code; and to assess the impact and deployment of additional cybersecurity procedures. The Director, in coordination with the Council of the Inspectors General on Integrity and Efficiency, the Director of the Cybersecurity and Infrastructure Security Agency, and the head of each agency participating in the pilot program under subsection (c), shall develop processes and procedures to perform a continuous independent evaluation of— the compliance of the agency with— the standards promulgated under section 11331 of title 40, United States Code, using verification specifications to the greatest extent practicable; and any additional cybersecurity procedures implemented by the agency as a result of the evaluation performed under section 3554(a)(1)(F) of title 44, United States Code; and the overall cybersecurity posture of the agency, which may include an evaluation of— the status of cybersecurity remedial actions of the agency; any vulnerability information relating to agency systems that is known to the agency; incident information of the agency; penetration testing performed by an external entity under section 3559A of title 44, United States Code; information from the vulnerability disclosure program information established under section 3559B of title 44, United States Code; agency threat hunting results; and any other information determined relevant by the Director. With respect to an agency that participates in the pilot program under subsection
(a)during any year other than the first year during which the pilot program is conducted, the Director, with the concurrence of the Director of the Cybersecurity and Infrastructure Security Agency, may waive any requirement of the agency with respect to the annual independent evaluation under section 3555 of title 44, United States Code. The pilot program established under this section— shall be performed over a period of not less than 2 years at each agency that participates in the pilot program under subsection (c), unless the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, determines that continuing the pilot program would reduce the cybersecurity of the agency; and may be extended by the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, if the Director makes the determination described in paragraph (1). Before identifying any agencies to participate in the pilot program under subsection (c), the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, shall submit to the appropriate congressional committees a plan for the pilot program that outlines selection criteria and preliminary plans to implement the pilot program. Before commencing a continuous independent evaluation of any agency under the pilot program established under subsection (a), the Director shall provide to the appropriate congressional committees a briefing on— the selection of agencies to participate in the pilot program; and processes and procedures to perform a continuous independent evaluation of agencies. Not later than 60 days after the final day of each year during which an agency participates in the pilot program established under subsection (a), the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, shall submit to the appropriate congressional committees a report on the results of the pilot program for each agency that participates in the pilot program during that year.